Cyber & Technology
Cross-Border Data Requests: A Proposed Framework
Editor’s note: This post also appears on Just Security.
We’ve both written and spoken extensively (for example, here, here, here, here, and here) about issues related to cross-border data requests. At this point, it seems that the contours of the problem are well established, and our goal here is to try and flesh out a principled framework for moving forward.
The motivation for this framework is simple. We are deeply concerned that in the absence of such a framework, states will continue or accelerate a number of policies that weaken Internet privacy over the long run. These include: forced data localization, which will compromise user privacy, facilitate domestic surveillance in repressive states, and increase the costs of doing business online; governmental reliance on alternative (i.e., extra-legal) means of accessing the data; and government demand for mandatory anti-encryption regimes (i.e. backdoors) as an end-run on the restrictions on access to stored content. We also are concerned about the increasing difficulties faced by foreign governments seeking evidence necessary to solve and prevent crimes. And we worry about US-based corporations being increasingly forced to choose which set of government laws to comply with – a choice that puts companies in an untenable position. With the right framework for cross-border data requests in place, we believe it is possible to minimize and ideally halt these trends, and create momentum for increased privacy and related rights across the globe.
As we envision it, this framework would apply to cross-border requests for stored communications, such as emails and other stored electronic content, and it could be operationalized through a series of bilateral and/or multilateral agreements. The focus is necessarily US-centric, since, at least currently, it is US-based corporations that manage the bulk of the world’s data, and it is US law that imposes the greatest barriers to foreign law enforcement seeking access to this data.
This framework draws from our discussions with a wide range of stakeholders over the past year (including internet companies, civil society groups, and various governmental actors), and reflects our best attempt to reconcile the varied interests into a proposal that we hope can generate broad-based support. (With that in mind, we welcome and in fact encourage suggestions for improvement from our readers.)
I. Expedited Access to Data
Under current law, foreign governments seeking the content of communications (e.g., emails) that are held in another jurisdiction by US-based companies must make government-to-government requests for the data—even if the data is relevant solely for the investigation of local crime. In order to ultimately get the data, they must obtain a warrant from a US judge based on probable cause—a process that takes an average of ten months. Foreign governments must go through this process even when they are investigating a local crime involving a local victim and a local suspect, and the only connection to the United States is that the data happens to be held by a US firm. Foreign governments are understandably frustrated by this state of affairs and have responded in a number of undesirable ways, from passing data localization laws to increased surveillance.
This framework would relieve some of these pressures. Specifically, the framework would modify the Electronic Communications Privacy Act (ECPA) in order to permit US-based providers to respond directly to foreign government requests for stored communications in cases where the requesting entity makes an adequate showing of three things: (i) the requesting government has a legitimate interest in the criminal activity being investigated; (ii) the target is located outside the United States; and (iii) the target is not a US person (defined to include US citizens and legal permanent residents).
If, as an example, UK law enforcement agents were investigating a local crime involving UK nationals and the suspect’s emails happened to be held by a US-based provider, those UK agents would no longer need to go through the laborious—and incredibly time-consuming—diplomatic process of requesting legal assistance from the US government. Rather, the UK government could go directly to the provider to seek the requested data, subject to the conditions and provisions of this framework and as agreed upon by the US
Such a regime reflects the relevant governmental interests in the data sought. If the only connection to the United States is the happenstance that the data is held by a US company, but the suspect, crime, and victim are all British, the United States has little equity at stake – and thus little basis for restricting UK access to the data. Conversely, the United States does have an equity in the data of persons within their territory. It also has an interest in regulating access to the data of their citizens and legal permanent residents wherever located. This framework reflects these interests, and would require the UK to continue to work with the US government to obtain the data of persons located in the US, as well as the data of US citizens and legal permanent residents, wherever they are located.
Importantly, as we envision it, these agreements would be reciprocal—meaning that, under the US-UK example, the United States would be able to directly request data from a UK-based provider under an analogous arrangement. While we recognize that currently requests tend to flow the other way (from foreign governments to US-based providers), this is not likely to be the situation forever. This framework thus serves governmental interests over the short and long-term.
II. Human Rights Requirements
These requirements would operate on two levels:
First, the country itself must meet basic human rights and due process standards in both law and practice, including, but not limited to, requirements that the country provides basic fair trial rights, adequately limits government access to data in accordance with basic privacy rights, and does not torture or engage in cruel and inhumane treatment of persons in its custody or control.
This requirement is designed to protect against collected data being used in ways that would violate individual rights. It thus precludes agreements with countries that fail to meet baseline human rights standards.
Second, both the country’s system for cross-border requests should provide for, and the specific requests made under this regime should meet, the following elements:
- Authorization: Judicial or other independent authorization, based on a finding of sufficient cause, particularity, legality, and severity.
- Cause: A strong factual basis to believe that a crime has been, is being, or will be committed and that the information is relevant and material to the investigation of the crime.
- Particularity: The request must be specific to a person, account, or device, and particularized as to the type, time frame, and scope of data sought.
- Legality: The request must relate to a crime that is punishable in law. To satisfy this requirement and ensure effective post hoc accountability, the request to the provider must include a short statement as to the conduct being investigated, the relevant criminal statute under the foreign government’s law, and the legal authority for the request.
- Severity: The criminal activity being investigated must be subject to at least one-year period of incarceration.
- Notice: The foreign government should make a reasonable, good faith effort to provide notice to the target; this notification requirement may be delayed based on a determination that notification will jeopardize the investigation or endanger the life or physical safety of an individual.
- Speech: The request must not relate to or be used to infringe the right to free expression.
- Minimization: The requesting country should establish mechanisms to minimize the collection of non-relevant data and to protect against the retention and dissemination of US-person data, unless necessary to the investigation or prosecution of criminal activity.
- Emergencies: Exceptions to the authorization requirement are permitted in situations of true emergency—when there is danger of death or serious bodily injury and there is an immediate need that makes compliance with the authorization requirement impracticable.
These provisions provide a set of minimal standards that govern access to US-held data. They are intended to operate as basic standards, rather than formulaic invocation of specific legal standards that each country must meet. (In other words, a foreign partner would not need to adopt the specific language of “strong factual basis” to satisfy the cause requirement; other formulations can also meet that standard.) We also recognize that not all countries will be able to satisfy all of these requirements currently. Rather, these are benchmarks that countries will need to work toward in order to be able to make direct requests for data from US-based service providers.
III. Transparency / Accountability
In order to ensure compliance with these requirements—and to promote good governance—enhanced transparency and effective accountability mechanisms will be essential. These should include, at a minimum, the following:
- Transparency Reports: Requesting countries must publish annual reports regarding the number, type, and temporal scope of the data requests they issue under this framework. Companies should be permitted to disclose the same information on the request they receive.
- Audits: There should be an effective mechanism for assessing, at some regular interval, participating nations’ compliance with the above-stated requirements, consistent with basic principles of sovereignty.
- Sanctions: Requesting countries that are found to have violated the above-stated requirements may forfeit their ability to directly request data from the providers. Companies that provide stored communications in violation of the above-stated requirements will continue to be subject to any applicable sanctions under US law.
This preliminary framework necessarily operates at a high level of generality, and much work remains to make it operational. Among other unresolved issues is whether such a framework should apply solely to the content of communications, or should include standards for accessing certain non-content data (including, for example, to/from lines on emails or records of session times and duration). Foreign government access to this non-content data is currently not governed by ECPA, and we think that there is a need for standards to govern access to this type of data as well—which can reveal an enormous about one’s associations and interests.
As already stated, we welcome readers’ feedback. We hope this framework can guide and prod a discussion that we think is critical—for the future of privacy and speech rights and for the future of the Internet as a platform for innovation and communication across the globe.